bug 240552 added a whitelist to XPInstall. For the Mozilla suite the point was not to restrict functionality from friendly sites but to protect against unknown malicious sites. Since the XPInstall confirmation dialog will still always show up as the main security measure I'm happy adding additional mozilla developer sites in the short term. Unfortunately I didn't get any nominations in that bug before I fixed it, so this bug will hold those. Long term we will have a UI solution (bug 241705). I'll start off with www.hacksrus.com, host to the active development versions of chatzilla and venkman. Do we want to add that one (opening it up to all members of hacksrus, not just ginda), or figure people who want it are smart enough to add it on their own?
Should we add bugzilla.mozilla.org to the -BLACK-list? Makes testcases harder to deal with but too many people can add content here. Since you can't add script to a bug comment I think you'd have to be able to add an attachment to take advantage. But if you can add an attachment then it'd be easy. :-(
I have a list of extensions I install with every upgrade, so here are the ones bug 240552 affected: <http://www.mozcafe.com/> contains additional spellchecker languages, as well as a splash.xpi that changes the splash screen. <http://tecwizards.de/mozilla/> contains the "paste and go" extension. <http://3rdhand.info/mozilla/home/> contains the ever popular "Home button" add-on. <http://cgi29.plala.or.jp/%7Emozzarel/> contains a few add-ons, like the Bookmarks Link Checker, and the Browser Spell Checker (for text fields and web forums) and of course <http://white.sakura.ne.jp/%7Epiro/xul/xul.html.en> contains many extensions, like Tabbrowser Extension. I've also got a small site <http://ilias.ca/>, that hosts prefsize.xpi, which makes the preferences window resizable.
A few more: <http://skypilot.projectit.com/> hosts the skypilot theme <http://projectit.com/freestuff.html> hosts many themes, which seem to reside on <http://skypilot.projectit.com/>. <http://www.java.com/en/download/manual.jsp> Sun makes JRE available through XPI.
And of course, there's the Extensions Mirror by sboulema: http://www.extensionsmirror.nl/ Big vote now for that one.
Yep my site deserves a entry in the list i guess ;)
Pinball and GrayModern themes for Mozilla http://mozilla-themes.schellen.net/ Theme installation is blocked unnecessarily. Themes can't contain executable code when installed from a jar file. Anyway, until this issue is resolved, theme pages should be included in the whitelist.
InstallTrigger.installChrome() can install more than just skins, unfortunately, but I agree that themes are not as dangerous as the rest. I guess it wouldn't be too hard a change though.
My themes are located at http://www.cs.txstate.edu/~as1130/themes/*theme_name*/theme.jar, so would adding http://www.cs.txstate.edu/~as1130/themes/ to the whitelist be adequate? I use a redirection service (http://www.mozthemes.tk) that points to http://www.cs.txstate.edu/~as1130/themes/, but I don't know if the redirection service would mess up the XPInstall...
if my site http://www.extensionsmirror.nl/ gets added will http://extensions.extensionsmirror.nl and http://themes.extensionsmirror.nl also be white listed. if not please add them to the list
Many popular Firefox themes: http://home.comcast.net/~lynchknot/fthemes.html
My theme files are located at: http://www.tom-cat.com http://tom-cat.com http://www.catthief.com http://catthief.com I included both the root domain and the www. prefix, not knowing exactly how your whitelist is handled.
Nois 2.0 theme for both Firefox and Thunderbird http://www.deviantart.com/deviation/4266778/ http://www.deviantart.com/deviation/5706856/ http://www.deviantart.com/deviation/5316474/
Red Cats and Curacao themes for Firefox: http://www.bluecatsgraphics.com/
The problem with sites like http://isp.com/~member/ is that we can't whitelist just the one member. Do we trust that a scumware vendor wouldn't be willing to sign up for an account on one of our default whitelisted sites if that meant they could get around the restriction on pushing their wares? I think we need to give up on whitelisting additions, there are just too many sites to be fair. Letting theme installs bypass the whitelist restriction will help tremendously -- that should be step one. After that we should just get the UI implemented so people can easily restart blocked installs and whitelist their own favorites.
http://white.sakura.ne.jp/~piro/xul/xul.html.en ContextMenu Extensions Tabbrowser Extensions Sidebar Window for Mozilla & Netscape 7 Rewind/Fastforward Buttons + more (kinda hard to avoid this guy :) Chrispederick.com User Agent Switcher Web Developer (web dev toolbox supreme)
For plugins, I'd suggest adding the following: java.sun.com (Java) java.com (Java) parallelgraphics.com (Cortona VRML) host.cycore.net (Cult3D) bxwa.com (FastBid) ipix.com (iPIX) virtools.com (Virtools Web Player, untested and not on PluginDoc at present) Food for thought: iol.ie (ActiveX plugin, as much as I hate the thing) netscape.com (tends to have interesting XPIs from time to time) With the exception of iol.ie and netscape.com, all the sites above are vendor sites, so the concerns in comment 14 aren't so much of an issue. In the case of netscape.com, there have often been useful things like Flash XPIs there.
Is there a Firefox version of this bug?
My Silver Skin theme files for Firefox are located at: http://www.maurobartoccelli.com/silverskin/silverskin_1.5.jar http://www.maurobartoccelli.com/silverskin/Silverskin_2.0_(Firefox_0.9).jar http://www.maurobartoccelli.com/silverskin/Silverskin_2.1_Default_theme.jar
about theme installation: see Bug 246375
Not sure if this is still valid or not, but better safe than sorry, I suppose. Future versions of GrayModern for Firefox (and probably the new Modern theme as well) will be hosted on: http://www.finalstar.com/
Navigation toolbar and themes for my online classes: http://papyr.com
well, http://stud4.tuwien.ac.at/~e0225227/ would be nice... (mng xpi) ...but half of the students at tuwien can host webpages on this server. do you trust them? :)
I wouldn't mind having my site at http://ted.mielczarek.org/code/mozilla/ whitelisted, but I get the feeling that most people install the extensions from u.m.o anyway, so it's probably not a big deal.
Well, Firefox now has a handy UI for adding items to your own whitelist. UMO is now on it, but *.m.o is not (to avoid bmo). Everyone is chipping in their favorite extension and theme sites, but I feel that the number of white listed sites should be pretty limited. At some point UMO will allow authors to upload updates to their extensions and themes. These will be verified by "staff" before it is approved to be listed. In other words, I don't think the white-list needs to contain anything other than UMO.
wontfix, instead we need a decent UI (such as the one Firefox has added) that lets people create their own custom whitelist. See also bug 246375 (don't require whitelisting for theme installs).
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.